Your web browser’s spell checker might have leaked your passwords

  • Extensive spell checkers in Google Chrome and Microsoft Edge forward anything typed into a text box, including passwords, to their servers.
  • While browsers probably could have taken steps to prevent this, the fault also lies with websites, which could have disabled spell checking in certain text boxes.
  • The incident is a reminder of our reliance on cloud-connected services, privacy advocates warn.

Boris Zhitkov/Getty Images

The security community has long argued that people can’t always have both convenience and privacy, especially on the internet, and they have another example to drive home the point.

Josh Summitt, co-founder and CTO of JavaScript security firm otto-js, discovered that under specific but common conditions, extended spellcheckers in Google Chrome and Microsoft Edge leak sensitive information to their respective companies.

“This incident is indicative of what we’ve seen in the industry for years, telling us nothing that we haven’t already gleaned from past experiences,” Alon Nachmany, Field CISO, AppviewX, told Lifewire via email. mail. “If anyone feels that Chrome, Gmail, or even Google’s search engine is Google’s product, they’re naive and incredibly wrong. We’re Google’s product.”

Wrong approach

Both browsers include basic spell checking features, which are enabled by default and do not transmit data to Google or Microsoft. However, Summitt found that when Chrome’s “enhanced spell checking” and Edge’s “Microsoft editor” are enabled, they pass anything you type into a text box, including usernames, email addresses, social security numbers, etc. Worryingly, if you click the “Show Password” button to check if you entered the correct password, the enhanced spell checkers will even transmit your password.

According to the tests of beeping computerthe enhanced spell checker passed credentials to Google from multiple websites, including Facebook,, Bank of America, and Verizon.

“While it may seem basic, input fields on a page are not always straightforward for the browser to interpret its use,” Nachmany pointed out, emphasizing that this is a task best left to websites rather than browsers.

Additionally, Brian Chappell, Chief Security Strategist, EMEA and APAC, at BeyondTrust, says the display password feature on many websites is implemented locally by the site itself.

“This is not a case of Google’s Chrome not reacting correctly to a password field, but rather it is the browser reacting correctly to a text box that has not been marked as exempt from verification spelling,” Chappell said. “Resolving this issue will be the responsibility of each website offering this feature.”

Chappell assures people that the concern for both browsers is with enhanced services and not the default spellcheck, which is enabled by default. At the same time, he thinks Google and Microsoft could better alert users that personally identifiable information (PII) might be passed to their servers, as they activate their respective enhanced spell checkers while sharing details about how that data will be processed. and secure.

too many clouds

Stepping back and looking at the larger issue, Librecast Project privacy advocate and community manager Esther Payne thinks we’ve gotten used to interacting with hosted services, but don’t fully understand the consequences.

“Why did the spell checker need to communicate with the database in the first place? For spell checking, why weren’t the dictionaries local?” Payne asked rhetorically in an email exchange with Lifewire.

This incident is indicative of what we have seen in the industry for years, teaching us nothing that we have not already gleaned from past experiences.

Along the same lines, Nachmany warns people against browser extensions that use artificial intelligence to check spelling, grammar, or even help us write. Asking us to reflect on the origin of these recommendations, he underlines that the responsibility for the protection of our data rests firmly with us.

“Chrome, Gmail and the Google search engine are just tools to collect information and maintain the ability to reach us,” Nachmany said. “The reality is that having too much privacy can hurt Google’s bottom line, and like most tech companies, they have to make the distinction between security and privacy on a daily basis.”

While he thinks the companies will take steps to address this issue, he’s also sure other concerns will come to fruition in the future.

According to Payne, the root of the problem for these intermittent issues lies solely in the tech giants’ approach to development during their formative years.

“The previous culture of ‘go fast, break things’ doesn’t just disrupt systems, it puts private information at risk,” Payne said.

Virginia C. Taylor